Method to protect software against unwanted use with a detection and coercion principle

ABSTRACT

The invention concerns a process to protect a vulnerable software working on a data processing system against its unauthorized usage using a processing and memorizing unit. The process comprises defining: 1) at least one software execution characteristic, liable to be monitored at least in part in a processing and memorizing unit 2) at least one criterion to abide by for at least one software execution characteristic 3) detection means to implement in a processing and memorizing unit and enabling to detect that at least one software execution characteristic does not abide by at least one associated criterion 4) coercion means to implement in a processing and memorizing unit and enabling to inform the data processing system and/or modify the execution of a software when at least one criterion is not abided by.

BACKGROUND OF THE INVENTION

This invention concerns the technical domain of data processing systems in the general sense, and is more precisely aimed at the means of protecting software running on said data processing systems against unauthorized usage.

The subject of the invention aims in particular at the means of protecting software against unauthorized usage, using a processing and memorizing unit, such a unit being commonly materialized by a chip card or a material key on USB port.

In the technical domain above, the main problem concerns the unauthorized usage of software by users who have not paid the license rights. This illicit use of software causes an obvious loss for software editors, software distributors and/or any person integrating such software in products. To avoid such illicit copies, various solutions, in the state of technology, have been proposed to protect software.

Thus, a protection solution is known, which makes use of a hardware protection system, such as a physical component named protection key or “dongle”. Such a protection key should guarantee that the software executes only in presence of the key. Yet, it must be acknowledged that this solution is ineffective because it presents the inconvenience of being easy to bypass. An ill-intentioned person or a hacker can, with the aid of specialized tools such as disassemblers, delete the control instructions of the protection key. It becomes then possible to make illicit copies corresponding to modified versions of the software able to run without the protection. Moreover, this solution cannot be generalized to all software, inasmuch as it is difficult to connect more than two protection keys to the same system.

BRIEF SUMMARY OF THE INVENTION

The subject of the invention aims precisely at finding a solution to the aforementioned problems by proposing a process to protect a software against unauthorized usage, using an ad hoc processing and memorizing unit, inasmuch as the presence of such a unit is necessary for the software to be completely functional.

So as to reach such a goal, the subject of the invention concerns a process to protect, using at least one blank unit including at least processing means and memorization means, a vulnerable software against its unauthorized usage, said vulnerable software being produced from a source and working on a data processing system. The process according to the invention comprises:

-   during a protection phase:     -   defining:         -   at least one software execution characteristic, liable to be             monitored at least in part in a unit,         -   at least one criterion to abide by for at least one software             execution characteristic,         -   detection means to implement in a unit and enabling to             detect that at least one software execution characteristic             does not abide by at least one associated criterion,         -   and coercion means to implement in a unit and enabling to             inform the data processing system and/or modify the             execution of a software when at least one criterion is not             abided by,     -   constructing exploitation means enabling to transform the blank         unit into a unit able to implement the detection means and the         coercion means,     -   creating a protected software:         -   by choosing at least one software execution characteristic             to monitor, among the software execution characteristics             liable to be monitored,         -   by choosing at least one criterion to abide by for at least             one chosen software execution characteristic,         -   by choosing, at least one algorithmic processing which,             during the execution of the vulnerable software, uses at             least one operand and enables to obtain at least one result,             and for which at least one chosen software execution             characteristic, is to be monitored,         -   by choosing at least one portion of the source of the             vulnerable software containing, at least one chosen             algorithmic processing,         -   by producing the source of the protected software from the             source of the vulnerable software, by modifying at least one             chosen portion of the source of the vulnerable software to             obtain at least one modified portion of the source of the             protected software, this modification being such that:             -   during the execution of the protected software a first                 execution part is executed in the data processing system                 and a second execution part is executed in a unit,                 obtained from the blank unit after upload of                 information,             -   the second execution part executes at least the                 functionality of at least one chosen algorithmic                 processing,             -   and during the execution of the protected software, at                 least one chosen execution characteristic is monitored                 by means of the second execution part and the fact that                 a criterion is not abided by leads to a modification of                 the execution of the protected software,         -   and by producing:             -   a first object part of the protected software, from the                 source of the protected software, said first object part                 being such that during the execution of the protected                 software, appears a first execution part which is                 executed in the data processing system and whose at                 least a portion takes into account that at least one                 chosen software execution characteristic is monitored,             -   and a second object part of the protected software,                 containing the exploitation means implementing the                 detection means and the coercion means, said second                 object part being such that, after upload to the blank                 unit and during the execution of the protected software,                 appears the second execution part by means of which at                 least one chosen software execution characteristic is                 monitored and by means of which the fact that a                 criterion is not abided by leads to a modification of                 the execution of the protected software,     -   and uploading the second object part to the blank unit, with the         intention of obtaining the unit, -   and during a usage phase during which the protected software is     executed:     -   in the presence of the unit:         -   and as long as all the criteria corresponding to all the             monitored execution characteristics of all the modified             portions of the protected software are abided by, enabling             said portions of the protected software to work nominally             and consequently enabling the protected software to work             nominally,         -   and if at least one of the criteria corresponding to a             monitored execution characteristic of a portion of the             protected software is not abided by, informing the data             processing system of it and/or modifying the functioning of             the portion of the protected software, so that the             functioning of the protected software is modified,     -   and in the absence of the unit, in spite of the request by a         portion of the first execution part to trigger the execution in         the unit, of the functionality of a chosen algorithmic         processing, in not being able to fulfill said request correctly,         so that at least said portion is not executed correctly and that         consequently, the protected software is not completely         functional.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining:         -   as software execution characteristic liable to be monitored,             a variable of measurement of the usage of a functionality of             a software,         -   as criterion to abide by, at least one threshold associated             to each variable of measurement,         -   and actualization means enabling to update at least one             variable of measurement,     -   constructing the exploitation means enabling the unit to also         implement the actualization means,     -   and modifying the protected software:         -   by choosing as software execution characteristic to monitor,             at least one variable of measurement of the usage of at             least one functionality of a software,         -   by choosing:             -   at least one functionality of the protected software                 whose usage is liable to be monitored using a variable                 of measurement,             -   at least one variable of measurement used to quantify                 the usage of said functionality,             -   at least one threshold associated to a chosen variable                 of measurement corresponding to a limit of usage of said                 functionality,             -   and at least one method of update of a chosen variable                 of measurement depending on the usage of said                 functionality,         -   and by modifying at least one chosen portion of the source             of the protected software, this modification being such             that, during the execution of the protected software, the             variable of measurement is actualized by means of the second             execution part depending on the usage of said functionality,             and at least one threshold crossing is taken into account, -   and during the usage phase, in the presence of the unit, and in the     case where at least one threshold crossing corresponding to at least     one limit of usage is detected, informing the data processing system     of it and/or modifying the functioning of the portion of the     protected software, so that the functioning of the protected     software is modified.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   a defining:         -   for at least one variable of measurement, several associated             thresholds,         -   and different coercion means corresponding to each of said             thresholds,     -   and modifying the protected software:         -   by choosing in the source of the protected software, at             least one chosen variable of measurement to which must be             associated several thresholds corresponding to different             limits of usage of the functionality,         -   by choosing at least two thresholds associated to the chosen             variable of measurement,         -   and by modifying at least one chosen portion of the source             of the protected software, this modification being such             that, during the execution of the protected software, the             crossings of the various thresholds are taken into account             differently, by means of the second execution part, -   and during the usage phase:     -   in the presence of the unit:         -   in the case where the crossing of a first threshold is             detected, enjoining the protected software not to use the             corresponding functionality anymore,         -   and in the case where the crossing of a second threshold is             detected, making ineffective the corresponding functionality             and/or at least one portion of the protected software.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining refilling means enabling to credit at least one         software functionality monitored by a variable of measurement         with at least one additional usage,     -   constructing the exploitation means also allowing the unit to         implement the refilling means,     -   and modifying the protected software:         -   by choosing in the source of the protected software, at             least one chosen variable of measurement enabling to limit             the usage of a functionality and which must be able to be             credited with at least one additional usage,         -   and by modifying at least one chosen portion, this             modification being such that during a phase called of             refilling, at least one additional usage of at least one             functionality corresponding to a chosen variable of             measurement can be credited, -   and during the phase of refilling:     -   reactualizing at least one chosen variable of measurement and/or         at least one associated threshold, so as to allow at least one         additional usage of the functionality.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining:         -   as software execution characteristic liable to be monitored,             a profile of software usage,         -   and as criterion to abide by, at least one feature of             software execution,     -   and modifying the protected software:         -   by choosing as software execution characteristic to monitor             at least one profile of software usage,         -   by choosing at least one feature of execution by which at             least one chosen profile of usage must abide,         -   and by modifying at least one chosen portion of the source             of the protected software, this modification being such             that, during the execution of the protected software, the             second execution part abides by all the chosen features of             execution, -   and during the usage phase in the presence of the unit, and in the     case where it is detected that at least one feature of execution is     not abided by, informing the data processing system of it and/or     modifying the functioning of the portion of the protected software,     so that the functioning of the protected software is modified.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining:         -   an instructions set whose instructions are liable to be             executed in the unit,         -   a set of instructions commands for said instructions set,             said instructions commands being liable to be executed in             the data processing system and to trigger in the unit the             execution of the instructions,         -   as profile of usage, the chaining of the instructions,         -   as feature of execution, an expected chaining for the             execution of the instructions,         -   as detection means, means enabling to detect that the             chaining of the instructions does not correspond to the             expected one,         -   and as coercion means, means enabling to inform the data             processing system and/or to modify the functioning of the             portion of protected software when the chaining of the             instructions does not correspond to the expected one,     -   constructing the exploitation means also enabling the unit to         execute the instructions of the instructions set, the execution         of said instructions being triggered by the execution in the         data processing system, of the instructions commands,     -   and modifying the protected software:         -   by modifying at least one chosen portion of the source of             the protected software, this modification being such that:             -   at least one chosen algorithmic processing is split so                 that during the execution of the protected software,                 said algorithmic processing is executed by means of the                 second execution part, using instructions,             -   for at least one chosen algorithmic processing,                 instructions commands are integrated to the source of                 the protected software, so that during the execution of                 the protected software, each instruction command is                 executed by the first execution part and triggers in the                 unit, the execution by means of the second execution                 part, of an instruction,             -   a sequence of the instructions commands is chosen among                 the set of sequences allowing the execution of the                 protected software,             -   and the chaining by which must abide at least some of                 the instructions during their execution in the unit is                 specified, -   and during the usage phase, in the presence of the unit, in the case     where it is detected that the chaining of the instructions executed     in the unit does not correspond to the expected one, informing the     data processing system of it and/or modifying the functioning of the     portion of the protected software, so that the functioning of the     protected software is modified.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining:         -   as instructions set, an instructions set whose at least some             instructions work with registers and use at least one             operand with the intention of returning a result,         -   for at least some of the instructions working with             registers:             -   a part defining the functionality of the instruction,             -   and a part defining the expected chaining for the                 execution of the instructions and including bits fields                 corresponding to:                 -   an identification field of the instruction,                 -   and for each operand of the instruction:                 -    a flag field,                 -    and an expected identification field of the                     operand,         -   for each register belonging to the exploitation means and             used by the instructions set, a generated identification             field in which is automatically memorized the identification             of the last instruction which has returned its result in             said register,         -   as detection means, means enabling, during the execution of             an instruction, for each operand, when the flag field             imposes it, to check the equality of the generated             identification field corresponding to the register used by             said operand, and the expected identification field of the             origin of said operand,         -   and as coercion means, means enabling to modify the result             of the instructions, if at least one of the checked             equalities is false.

According to a preferred embodiment, the process according to the invention comprises:

-   during the protection phase:     -   modifying the protected software:         -   by choosing at least one variable used in at least one             chosen algorithmic processing, which during the execution of             the protected software, partially defines the state of the             protected software,         -   by modifying at least one chosen portion of the source of             the protected software, this modification being such that             during the execution of the protected software, at least one             chosen variable or at least one copy of chosen variable             resides in the unit,         -   and by producing:             -   the first object part of the protected software, said                 first object part being such that during the execution                 of the protected software, at least one portion of the                 first execution part takes also into account that at                 least one variable or at least one copy of variable                 resides in the unit,             -   and the second object part of the protected software,                 said second object part being such that, after upload to                 the unit and during the execution of the protected                 software, appears the second execution part by means of                 which at least one chosen variable, or at least one copy                 of chosen variable resides too in the unit, -   and during the usage phase:     -   in the presence of the unit each time a portion of the first         execution part imposes it, using a variable or a copy of         variable residing in the unit, so that said portion is executed         correctly and that, consequently, the protected software is         completely functional,     -   and in the absence of the unit, in spite of the request by a         portion of the first execution part to use a variable or a copy         of variable residing in the unit, not being able to fulfill said         request correctly, so that at least said portion is not executed         correctly and that, consequently the protected software is not         completely functional.

According to another preferred embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining:         -   as a triggering command, an instruction command,         -   as a dependent function, an instruction,         -   as an order, at least one argument for a triggering command,             corresponding at least in part to the information             transmitted by the data processing system to the unit, so as             to trigger the execution of the corresponding dependent             function,         -   a method of renaming of the orders enabling to rename the             orders so as to obtain triggering commands with renamed             orders,         -   and restoring means designed to be used in the unit during             the usage phase, and enabling to restore the dependent             function to execute, from the renamed order,     -   constructing exploitation means enabling the unit to also         implement the restoring means,     -   and modifying the protected software:         -   by choosing in the source of the protected software,             triggering commands,         -   by modifying at least one chosen portion of the source of             the protected software by renaming the orders of the chosen             triggering commands, so as to conceal the identity of the             corresponding dependent functions,         -   and by producing:             -   the first object part of the protected software, said                 first object part being such that during the execution                 of the protected software, the triggering commands with                 renamed orders are executed,             -   and the second object part of the protected software                 containing the exploitation means also implementing the                 restoring means, said second object part being such                 that, after upload to the unit and during the execution                 of the protected software, the identity of the dependent                 functions whose execution is triggered by the first                 execution part is restored by means of the second                 execution part, and the dependent functions are executed                 by means of the second execution part, -   and during the usage phase:     -   in the presence of the unit and each time a triggering command         with renamed order, contained in a portion of the first         execution part imposes it, restoring in the unit, the identity         of the corresponding dependent function and executing it, so         that said portion is executed correctly and that, consequently,         the protected software is completely functional,     -   and in the absence of the unit, in spite of the request by a         portion of the first execution part, to trigger the execution of         a dependent function in the unit, not being able to fulfill said         request correctly, so that at least said portion is not executed         correctly and that, consequently, the protected software is not         completely functional.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining for at least one dependent function, a family of         dependent functions algorithmically equivalent, but triggered by         triggering commands whose renamed orders are different,     -   and modifying the protected software:         -   by choosing, in the source of the protected software at             least one triggering command with renamed order,         -   and by modifying at least one chosen portion of the source             of the protected software by replacing at least the renamed             order of one chosen triggering command with renamed order,             with another renamed order, triggering a dependent function             of the same family.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase, defining, for at least one dependent     function, a family of algorithmically equivalent dependent     functions:     -   by concatenating a field of noise to the information defining         the functional part of the dependent function to execute in the         unit,     -   or by using the identification field of the instruction and the         expected identification fields of the operands.

According to a variant embodiment, the process according to the invention comprises:

-   during the protection phase:     -   defining:         -   as method of renaming of the orders, a ciphering method to             cipher the orders,         -   and as restoring means, means implementing a deciphering             method to decipher the renamed orders and thus restore the             identity of the dependent functions to execute in the unit.

According to another preferred embodiment, the process according to the invention comprises:

-   during the protection phase:     -   modifying the protected software:         -   by choosing, in the source of the protected software, at             least one conditional branch carried out in at least one             chosen algorithmic processing,         -   by modifying at least one chosen portion of the source of             the protected software, this modification being such that             during the execution of the t protected software, the             functionality of at least one chosen conditional branch is             executed, by means of the second execution part, in the             unit,         -   and by producing:             -   the first object part of the protected software, said                 first object part being such that during the execution                 of the protected software, the functionality of at least                 one chosen conditional branch is executed in the unit,             -   and the second object part of the protected software,                 said second object part being such that, after upload to                 the unit and during the execution of the protected                 software, appears the second execution part by means of                 which the functionality of at least one chosen                 conditional branch is executed, -   and during the usage phase:     -   in the presence of the unit and each time a portion of the first         execution part imposes it, executing the functionality of at         least one conditional branch in the unit, so that said portion         is executed correctly and that, consequently, the protected         software is completely functional,     -   and in the absence of the unit and in spite of the request by a         portion of the first execution part to execute the functionality         of a conditional branch in the unit, not being able to fulfill         said request correctly, so that at least said portion is not         executed correctly and that consequently, the protected software         is not completely functional.

According to a variant embodiment, the process according to the invention comprises, during the protection phase, modifying the protected software:

-   -   by choosing, in the source of the protected software, at least         one series of chosen conditional branches,     -   by modifying at least one chosen portion of the source of the         protected software, this modification being such that during the         execution of the protected software, the overall functionality         of at least one chosen series of conditional branches is         executed, by means of the second execution part, in the unit,     -   and by producing:         -   the first object part of the protected software, said first             object part being such that during the execution of the             protected software, the functionality of at least one chosen             series of conditional branches is executed in the unit,         -   and the second object part of the protected software, said             second object part being such that, after upload to the unit             and during the execution of the protected software, appears             the second execution part by means of which the overall             functionality of at least one chosen series of conditional             branches is executed.

The process according to the invention thus enables to protect usage of a software by using a processing and memorizing unit which presents the characteristic of containing a part of the software being executed. It follows that any derived version of the software attempting to work without the processing and memorizing unit imposes to recreate the part of the software contained in the processing and memorizing unit during the execution, or else said derived version of the software will not be completely functional.

BRIEF DESCRIPTION OF THE DRAWINGS

Various other characteristics emerge from the description made below in reference to the appended diagrams which show, as non-limiting examples, embodiments and implementations of the subject of the invention.

FIGS. 10 and 11 are functional blocks diagrams illustrating the various representations of a software respectively not protected and protected by the process in accordance with the invention.

FIGS. 20 to 22 illustrate as examples, various embodiments of an apparatus implementing the process in accordance with the invention.

FIGS. 30 and 31 are functional blocks diagrams making explicit the general principle of the process in accordance with the invention.

FIGS. 40 to 43 are diagrams illustrating the protection process according to the invention implementing the principle of protection by variable.

FIGS. 70 to 74 are diagrams illustrating the protection process according to the invention implementing the principle of protection by detection and coercion.

FIGS. 80 to 85 are diagrams illustrating the protection process according to the invention implementing the principle of protection by par renaming.

FIGS. 90 to 92 are diagrams illustrating the protection process according to the invention implementing the principle of protection by conditional branch.

FIG. 100 is a diagram illustrating the different phases of implementation of the subject of the invention.

FIG. 110 illustrates an embodiment of a system allowing the implementation of the construction stage of the protection phase in accordance with the invention.

FIG. 120 illustrates an embodiment of a pre-customization unit used in the protection process in accordance with the invention,

FIG. 130 illustrates an embodiment of a system allowing the implementation of the tools making stage of the protection phase in accordance with the invention.

FIG. 140 illustrates an embodiment of a system allowing the implementation of the protection process according to the invention.

FIG. 150 illustrates an embodiment of a customization unit used in the protection process in accordance with the invention.

DETAILED DESCRIPTION OF THE INVENTION

In the rest of the description, the following definitions will be used:

-   -   A data processing system 3 is a system able to execute a         program.     -   A processing and memorizing unit is a unit able:         -   to accept data provided by a data processing system 3,         -   to return data to the data processing system 3,         -   to store data at least partly in secret and to retain at             least a part of said data even if the unit is switched off,         -   and to carry out algorithmic processing on said data, part             or all of the result being secret.     -   A unit 6 is a processing and memorizing unit implementing the         process according to the invention.     -   A blank unit 60 is a unit which does not implement the process         according to the invention, but which can receive data         transforming it into a unit 6.     -   A pre-customized unit 66 is a blank unit 60 which has received         part of data enabling it, after reception of supplementary data,         to be transformed into a unit 6.     -   The upload of information to a blank unit 60 or a pre-customized         unit 66 corresponds to a transfer of information to the blank         unit 60 or the pre-customized unit 66, and to a storage of said         transferred information. The transfer can possibly include a         change of the information format.     -   A variable, a function or data contained in the data processing         system 3 will be indicated by an uppercase letter, while a         variable, a function or data contained in the unit 6 will be         indicated by a lowercase letter.     -   A “protected software”, is a software which has been protected         by at least one of the principles of protection implemented by         the process in accordance with the invention.     -   A “vulnerable software”, is a software which has not been         protected by any principle of protection implemented by the         process in accordance with the invention.     -   In the case where differentiation between a vulnerable software         and a protected software is not important, the term “software”         is used,     -   A software has various representations depending on the instant         considered in its life cycle:         -   a source representation,         -   an object representation,         -   a distribution,         -   or a dynamic representation.     -   A source representation of a software is understood as a         representation which after transformation, results in an object         representation, A source representation can offer different         levels, from a conceptual abstract level to a level executable         directly by a data processing system or a processing and         memorizing unit.     -   An object representation of a software corresponds to a level of         representation which after transfer to a distribution and upload         to a data processing system or a processing and memorizing unit,         can be executed. It can be, for instance, a binary code, an         interpreted code, etc.     -   A distribution is a physical or virtual support containing the         object representation, said distribution having to be put at the         user's disposal to enable them to use the software.     -   A dynamic representation corresponds to the execution of the         software from its distribution.     -   A portion of a software corresponds to some part of the software         and can, for instance correspond, to one or several consecutive         or not instructions, and/or one or several consecutive or not         functional blocks, and/or one or several functions, and/or one         or several subprograms, and/or one or several modules. A portion         of a software can also correspond to all of said software.

FIGS. 10 and 11 illustrate the various representations respectively of a vulnerable software 2 v in the general sense, and of a protected software 2 p protected according to the process in accordance with the invention.

FIG. 10 illustrates various representations of a vulnerable software 2 v appearing during its life cycle, The vulnerable software 2 v can thus appear under any of the following representations:

-   -   a source representation 2 vs,     -   an object representation 2 vo,     -   a distribution 2 vd. Said distribution can have commonly the         form of a physical distribution medium such as a CDROM or the         form of files distributed through a network (GSM, Internet,         etc.),     -   or a dynamic representation 2 ve corresponding to the execution         of the vulnerable software 2 v on a data processing system 3 of         any known type, which classically includes, at least one         processor 4.

FIG. 11 illustrates various representations of a protected software 2 p appearing during its life cycle. The protected software 2 p can thus appear under any of the following representations:

-   -   a source representation 2 ps including a first source part         intended for the data processing system 3 and a second source         part intended for the unit 6, part of said source parts can         commonly be contained in common files,     -   an object representation 2 po including a first object part 2         pos intended for the data processing system 3 and a second         object part 2 pou intended for the unit 6,     -   a distribution 2 pd including:         -   a first distribution part 2 pds containing the first object             part 2 pos, said first distribution part 2 pds being             intended for the data processing system 3 and which can             commonly have the form of a physical distribution medium             such as a CDROM or the form of files distributed through a             network (GSM, Internet, etc.),         -   and a second distribution part 2 pdu having the form:             -   of at least one pre-customized unit 66 to which a part                 of the second object part 2 pou has been uploaded and                 for which the user has to finish the customization by                 uploading supplementary data so as to obtain a unit 6,                 said supplementary data being obtained, for instance, by                 download through a network,             -   or of at least one unit 6 to which the second object                 part 2 pou has been uploaded,     -   or a dynamic representation 2 pe corresponding to the execution         of the protected software 2 p. Said dynamic representation 2 pe         includes a first execution part 2 pes which is executed in the         data processing system 3 and an second execution part 2 peu         which is executed in the unit 6.

In the case where the differentiation between the different representations of the protected software 2 p is not important, the expressions first part of the protected software and second part of the protected software shall be used.

The implementation of the process according to the invention in accordance with the dynamic representation of FIG. 11, uses an apparatus 1 p including a data processing system 3 linked up by a link 5 to a unit 6. The data processing system 3 is of any type and includes, classically, at least one processor 4. The data processing system 3 can be a computer or be part, for instance, of various machines, devices, fixed or mobile products, or vehicles in the general sense. The link 5 can be realized in any possible way, such as for instance a serial link, a USB bus, a radio link, an optical link, a network link or a direct electric connection to a circuit of data processing system 3, etc. It should be observed that the unit 6 can possibly be physically located inside the same integrated circuit than the processor 4 of the data processing system 3. In this case, the unit 6 can be considered as a co-processor in relation to the processor 4 of the data processing system 3 and the link 5 is internal to the integrated circuit.

FIGS. 20 to 22 show in an illustrative and non-limiting manner, various embodiments of the apparatus 1 p allowing the implementation of the protection process in accordance with the invention.

In the embodiment illustrated in FIG. 20, the protection apparatus 1 p includes, as a data processing system 3, a computer and, as a unit 6, a chip card 7 and its interface 8 commonly called card reader. The computer 3 is linked up to the unit 6 by a link 5. During the execution of the protected software 2 p, the first execution part 2 pes which is executed in the computer 3 and the second execution part 2 peu which is executed in the chip card 7 and its interface 8, must both be functional so that the protected software 2 p is completely functional.

In the embodiment illustrated in FIG. 21, the protection apparatus 1 p equips a product 9 in the general sense, including various components 10 adapted to the function(s) assumed by such a product 9. The protection apparatus 1 p includes, on the one hand, a data processing system 3 embedded in the product 9 and, on the other hand, a unit 6 associated with the product 9. So that the product 9 is completely functional, the protected software 2 p, must be completely functional. Thus, during the execution of the protected software 2 p, the first execution part 2 pes which is executed in the data processing system 3 and the second execution part 2 peu which is executed in the unit 6, must both be functional. Said protected software 2 p enables therefore indirectly, to protect against unauthorized usage, the product 9 or one of its functionalities. For instance, the product 9 can be an installation, a system, a machine, a toy, a piece of domestic appliances, a phone, etc.

In the embodiment illustrated in FIG. 22, the protection apparatus 1 p includes several computers, as well as part of a communication network. The data processing system 3 is a first computer linked up by a link 5 of network type, to a unit 6 constituted by a second computer. For the implementation of the invention, the second computer 6 is used as a license server for a protected software 2 p. During the execution of the protected software 2 p, the first execution part 2 pes which is executed in the first computer 3 and the second execution part 2 peu which is executed in the second computer 6, must both be functional so that the protected software 2 p is completely functional.

FIG. 30 enables to make explicit more precisely, the protection process in accordance with the invention. It should be observed that a vulnerable software 2 v, is considered as being executed totally in a data processing system 3. On the other hand, in the case of the implementation of a protected software 2 p, the data processing system 3 includes transfer means 12 linked up by the link 5, to transfer means 13 being part of the unit 6 enabling to establish communication between the first execution part 2 pes and the second execution part 2 peu of the protected software 2 p.

It must be considered that the transfer means 12, 13 are of software and/or hardware nature and are capable of providing and, possibly, optimizing the data communication between the data processing system 3 and the unit 6. Said transfer means 12, 13 are adapted to enable to have at one's disposal a protected software 2 p which is, preferably, independent from the type of link 5 used. Said transfer means 12, 13 are not part of the subject of the invention and are not described more precisely as they are well known by the Man of art. The first part of the protected software 2 p includes commands. During the execution of the protected software 2 p, the execution of said commands by the first execution part 2 pes enables the communication between the first execution part 2 pes and the second execution part 2 peu. In the rest of the description, said commands are represented by IN, OUT or TRIG.

As illustrated in FIG. 31, to allow the implementation of the second execution part 2 peu of the protected software 2 p, the unit 6 includes protection means 14. The protection means 14 include memorization means 15 and processing means 16.

For the sake of simplification in the rest of the description, it is chosen to consider, during the execution of the protected software 2 p, the presence of the unit 6 or the absence of the unit 6. In actual fact, a unit 6 providing protection means 14 not adapted to the execution of the second execution part 2 peu of the protected software 2 p is also considered as missing, each time the execution of the protected software 2 p is not correct. In other words:

-   -   a unit 6 physically present and including protection means 14         adapted to the execution of the second execution part 2 peu of         the protected software 2 p, is always considered as present,     -   a unit 6 physically present but including protection means 14         not adapted, i.e. not allowing the correct implementation of the         second execution part 2 peu of the protected software 2 p is         considered as present, when it works correctly, and as missing         when it does not work correctly,     -   and a unit 6 physically missing is always considered as missing,

In the case where the unit 6 is constituted by a chip card 7 and its interface 8, the transfer means 13 are split into two parts, one being on the interface 8 and the other one being on the chip card 7. In this embodiment, the absence of the chip card 7 is considered as equivalent to the absence of the unit 6. In other words, in the absence of the chip card 7 and/or its interface 8, the protection means 14 are not accessible and do not enable the execution of the second execution part 2 peu of the protected software 2 p, so much so that the protected software 2 p is not completely functional.

In accordance with the invention, the protection process aims at implementing a principle of protection, called by <<detection and coercion>>, a description of which is carried out in relation to FIGS. 70 to 74.

For the implementation of the principle of protection by detection and coercion, are defined:

-   -   at least one software execution characteristic liable to be         monitored at least in part in the unit 6,     -   at least one criterion to abide by for at least one software         execution characteristic,     -   detection means 17 to implement in the unit 6 and enabling to         detect that at least one software execution characteristic does         not abide by at least one associated criterion,     -   and coercion means 18 to implement in the unit 6 and enabling to         inform the data processing system 3 and/or modify the execution         of a software, when at least one criterion is not abided by.

For the implementation of the principle of protection by detection and coercion, are also constructed exploitation means enabling to transform a blank unit 60 into a unit 6 implementing at least the detection means 17 and the coercion means 18.

FIG. 70 illustrates the means necessary to the implementation of this principle of protection by detection and coercion. The unit 6 includes the detection means 17 and the coercion means 18 belonging to the processing means 16. The coercion means 18 are informed by the detection means 17 that a criterion has not been abided by.

More precisely, the detection means 17 use information coming from the transfer means 13 and/or from the memorization means 15 and/or from the processing means 16, so as to monitor one or several software execution characteristics. For each software execution characteristic is set at least one criterion to abide by.

In the case where it is detected that at least one software execution characteristic does not abide by at least one criterion, the detection means 17 inform the coercion means 18 of it. Said coercion means 18 are adapted to modify, in the appropriate way, the state of the unit 6.

For the implementation of the principle of protection by detection and coercion, are also chosen:

-   -   at least one software execution characteristic to monitor, among         the software execution characteristics liable to be monitored,     -   at least one criterion to abide by for at least one chosen         software execution characteristic,     -   in the source of the vulnerable software 2 vs, at least one         algorithmic processing for which at least one software execution         characteristic is to be monitored,     -   a and in the source of the vulnerable software 2 vs, at least         one portion containing at least one chosen algorithmic         processing.

At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps. This modification is such that, during the execution of the protected software 2 p, among others:

-   -   at least one portion of the first execution part 2 pes, which is         executed in the data processing system 3, takes into account         that at least one chosen software execution characteristic is to         be monitored, at least in part in the unit 6,     -   and the second execution part 2 peu, which is executed in the         unit 6, monitors at least in part, a chosen software execution         characteristic.

During the execution of the protected software 2 p, protected by this principle of protection by detection and coercion, in the presence of the unit 6:

-   -   as long as all the criteria corresponding to all the monitored         execution characteristics of all the modified portions of the         protected software 2 p are abided by, said modified portions of         the protected software 2 p work nominally, so that said         protected software 2 p works nominally,     -   and if at least one of the criteria corresponding to a monitored         execution characteristic of a portion of the protected software         2 p is not abided by, the data processing system 3 is informed         of it and/or the functioning of the portion of the protected         software 2 p is modified, so that the functioning of the         protected software 2 p is modified.

Naturally, in the absence of the unit 6, at least one request by a portion of the first execution part 2 pes of the protected software 2 p to use the unit 6 cannot be fulfilled correctly so that at least said portion is not executed correctly and that consequently the protected software 2 p is not completely functional.

For the implementation of the principle of protection by detection and coercion, two types of software execution characteristics are used preferentially.

The first type of software execution characteristic corresponds to a variable of measurement of the execution of a software and the second type corresponds to a profile of usage of a software. Said two types of characteristics can be used independently or in combination.

For the implementation of the principle of protection by detection and coercion using, as execution characteristic, a variable of measurement of software execution, are defined:

-   -   in the memorization means 15, the possibility to memorize at         least one variable of measurement used to quantify the usage of         at least one functionality of a software,     -   in the detection means 17, the possibility to monitor at least         one threshold associated to each variable of measurement,     -   and actualization means enabling to update each variable of         measurement depending on the usage of the functionality to which         it is associated.

Are also constructed exploitation means implementing, in addition to the detection means 17 and the coercion means 18, the actualization means.

Are also chosen, in the source of the vulnerable software 2 vs:

-   -   at least one functionality of the vulnerable software 2 v whose         usage is liable to be monitored using a variable of measurement,     -   at least one variable of measurement used to quantify the usage         of said functionality,     -   at least one threshold associated to the variable of measurement         corresponding to a limit of usage of said functionality,     -   and at least one method of update of the variable of measurement         depending on the usage of said functionality,

The source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps, this modification being such that, during the execution of the protected software 2 p, the second execution 2 peu:

-   -   actualizes the variable of measurement depending on the usage of         said functionality,     -   and takes into account at least one threshold crossing.

In other words, during the execution of the protected software 2 p, the variable of measurement is updated depending on the usage of said functionality, and when the threshold is crossed, the detection means 17 inform of it the coercion means 18 which make an adapted decision to inform the data processing system 3 and/or to modify the processings carried out by the processing means 16 enabling to modify the functioning of the portion of the protected software 2 p, so that the functioning of the protected software 2 p is modified.

For the implementation of a first preferred variant embodiment of the principle of protection by detection and coercion using, as characteristic, a variable of measurement, are defined:

-   -   for at least one variable of measurement, several associated         thresholds,     -   and different coercion means corresponding to each of said         thresholds.

Are also chosen, in the source of the vulnerable software 2 vs:

-   -   at least one variable of measurement used to quantify the usage         of at least one functionality of the software and to which must         be associated several thresholds corresponding to different         limits of usage of said functionalities,     -   and at least two thresholds associated to the variable of         measurement.

The source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps, this modification being such that, during the execution of the protected software 2 p, the second execution part 2 peu:

-   -   actualizes the variable of measurement depending on the usage of         said functionality,     -   and takes into account, differently, the crossing of the various         thresholds.

In other words, classically, during the execution of the protected software 2 p, when the first threshold is crossed, the unit 6 informs the data processing system 3 enjoining the protected software 2 p not to use said functionality anymore. If the protected software 2 p carries on using said functionality, the second threshold will potentially be crossed. In the case where the second threshold is crossed, the coercion means 18 can make the chosen functionality ineffective and/or make the protected software 2 p ineffective.

For the implementation of a second preferred variant embodiment of the principle of protection by detection and coercion using, as characteristic, a variable of measurement, are defined refilling means enabling to credit at least one software functionality monitored by a variable of measurement with at least one additional usage.

Are also constructed exploitation means implementing, in addition to the detection means 17, the coercion means 18 and the actualization means, the refilling means.

Is also chosen, in the source of the vulnerable software 2 vs, at least one variable of measurement used to limit the usage of at least one functionality of the software and which must be able to be credited with at least one additional usage.

The source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps, this modification being such that, during a phase called of refilling, at least one additional usage of at least one functionality corresponding to a chosen variable of measurement can be credited.

Is carried out, during the phase of refilling, the reactualization of at least one chosen variable of measurement and/or of at least one associated threshold, so as to allow at least one additional usage of the corresponding functionality. In other words, it is possible, during the phase of refilling, to credit additional usages of at least one functionality of the protected software 2 p.

For the implementation of the principle of protection by detection and coercion using, as characteristic, a profile of software usage, is defined as criterion to abide by for said profile of usage, at least one feature of software execution.

Are also chosen, in the source of the vulnerable software 2 vs:

-   -   at least one profile of usage to monitor,     -   and at least one feature of execution by which at least one         chosen profile of usage must abide.

The source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps, this modification being such that, during the execution of the protected software 2 p, the second execution part 2 peu abides by all the chosen features of execution. In other words, the unit 6 itself monitors the way the second execution part 2 peu is executed and can inform the data processing system 3 and/or modify the functioning of the protected software 2 p, in the case where at least one feature of execution is not abided by.

During the execution of the protected software 2 p, protected by this principle, in the presence of the unit 6:

-   -   as long as all the features of execution of all the modified         portions of the protected software 2 p are abided by, said         modified portions of the protected software 2 p work nominally,         so that said protected software 2 p works nominally,     -   and if at least one feature of execution of a portion of         protected software 2 p is not abided by, the data processing         system 3 is informed of it and/or the functioning of the portion         of the protected software 2 p is modified, so that the         functioning of the protected software 2 p is modified.

The monitoring of different features of execution can be considered, like for instance the monitoring of the presence of instructions including a marker or the monitoring of the execution chaining for at least one part of the instructions.

For the implementation of the principle of protection by detection and coercion using as feature of execution to abide by, the monitoring of the execution chaining for at least one part of the instructions, are defined:

-   -   an instructions set, whose instructions are liable to be         executed in the unit 6,     -   a set of instructions commands for said instructions set, said         instructions commands are liable to be executed in the data         processing system 3. The execution of each of said instructions         commands in the data processing system 3 triggers in the unit 6,         the execution of the corresponding instruction,     -   detection means 17 enabling to detect that the chaining of the         instructions does not correspond to the expected one,     -   and coercion means 18 enabling to inform the data processing         system 3 and/or to modify the execution of a software when the         chaining of the instructions does not correspond to the expected         one.

Are also constructed exploitation means enabling the unit 6 to also execute the instructions of the instructions set, the execution of said instructions being triggered by the execution in the data processing system 3 of the instructions commands.

Is also chosen, in the source of the vulnerable software 2 vs, at least one algorithmic processing which must be remoted in the unit 6 and for which the chaining of at least one part of the instructions is to be monitored.

The source of the vulnerable software 2 vs is then modified, so as to obtain the source of the vulnerable software 2 ps, this modification being such that, during the execution of the protected software 2 p:

-   -   the second execution part 2 peu executes at least the         functionality of the chosen algorithmic processing,     -   the chosen algorithmic processing is split into instructions,     -   the chaining by which at least some of the instructions must         abide during their execution in the unit 6 is specified,     -   and the first execution part 2 pes of the protected software 2 p         executes instructions commands which trigger the execution of         the instructions in the unit 6.

During the execution of the protected software 2 p, protected by this principle, in the presence of the unit 6:

-   -   as long as the chaining of the instructions of all the modified         portions of the protected software 2 p, executed in the unit 6         corresponds to the expected one, said modified portions of the         protected software 2 p work nominally, so that said protected         software 2 p works nominally,     -   and if the chaining of the instructions of a portion of the         protected software 2 p executed in the unit 6 does not         correspond to the expected one, the data processing system 3 is         informed of it and/or the functioning of the portion of         protected software 2 p is modified, so that the functioning of         the protected software 2 p is modified.

FIG. 71 illustrates an example of implementation of the principle of protection by detection and coercion using, as feature of execution to abide by the monitoring of the execution chaining of a at least one part of the instructions, in the case where the expected chaining is abided by.

The first execution part 2 pes of the protected software 2 p, executed in the data processing system 3, executes instructions commands CI_(i) triggering, in the unit 6 the execution of the instructions i_(i) belonging to the instructions set. In said instructions set, at least some of the instructions each include a part defining the functionality of the instruction and a part enabling to verify the expected chaining for the execution of the instructions. In this example, the instructions commands CI_(i) are represented by TRIG(i_(i)) and the expected chaining for the execution of the instructions is i_(n), i_(n+1) and i_(n+2). The execution in the unit 6, of the instruction i_(n) gives the result a and the execution of the instruction i_(n+1) gives the result b. The instruction i_(n+2) uses as operand, the results a and b of the instructions i_(n) and i_(n+1) and its execution gives the result c.

Taking into account that said chaining of the instructions executed in the unit 6 corresponds to the expected one, it results in a normal or nominal functioning of the protected software 2 p.

FIG. 72 illustrates an example of implementation of the principle of protection by detection and coercion using, as feature of execution to abide by, the monitoring of the execution chaining of at least one part of the instructions, in the case where the expected chaining is not abided by.

According to this example, the expected chaining for the execution of the instructions is still i_(n), i_(n+1), and i_(n+2). However, the execution chaining is modified by the replacement of the instruction i_(n) with the instruction i′_(n), so that the chaining actually executed is i′_(n), i_(n+1) and i₊₂. The execution of the instruction i′_(n) gives the result a, i.e. the same result that the execution of the instruction i_(n). However, at the latest during the execution of the instruction i_(n+2), the detection means 17 detect that the instruction i′_(n) does not correspond to the expected instruction to generate the result a used as operand of the instruction i_(n+2) The detection means 17 inform of it the coercion means 18 which modify accordingly, the functioning of the instruction i_(n+2), so that the execution of the instruction i_(n+2) gives the result c′ which can be different than C. Naturally, if the execution of the instruction i′_(n) gives a result a′ different from the result a of the instruction i_(n), it is clear that the result of the instruction i_(n+2) can also be different from c.

In as much as the execution chaining of the instructions executed in the unit 6 does not correspond to the expected one, a modification of the functioning of the protected software 2 p can therefore be obtained.

FIGS. 73 and 74 illustrates a preferred variant embodiment of the principle of protection by detection and coercion using, as feature of execution to abide by, the monitoring of the execution chaining of at least one part of the instructions. According to this preferred variant, is defined an instructions set whose at least some instructions work with registers and use at least one operand with the intention of returning a result

As illustrated in FIG. 73, are defined for at least some of the instructions working with registers, a part PF defining the functionality of the instruction and a part PE defining the expected chaining for the execution of the instructions. The part PF corresponds to the operation code known by the Man of art. The part PE defining the expected chaining, includes bits fields corresponding to:

-   -   an identification field of the instruction CII,     -   and for each operand k of the instruction, with k varying from 1         to K, and K number of operands of the instruction:         -   a flag field CD_(k), indicating whether or not it is             appropriate to verify the origin of the operand k,         -   and an expected identification field CIP_(k) of the operand,             indicating the expected identity of the instruction which             has generated the contents of the operand k.

As illustrated in FIG. 74, the instructions set includes V registers belonging to the processing means 16, each register being named R_(v), with v varying from 1 to V. For each register R_(v), are defined two fields, namely:

-   -   a functional field CF_(v), known by the Man of art and enabling         to store the result of the execution of the instructions,     -   and a generated identification field CIG_(v), enabling to         memorize the identity of the instruction which has generated the         contents of the functional field CF_(v).

Said generated identification field CIG_(v) is automatically updated with the contents of the identification field of the instruction CII which has generated the functional field CF_(v). Said generated identification field CIG_(v) is neither accessible, nor modifiable by any of the instructions and is solely used for the detection means 17.

During the execution of an instruction, the detection means 17 carry out for each operand k the following operations:

-   -   the flag field CD_(k) is read,     -   if the flag field CD_(k) imposes it, the expected identification         field CIP_(k) and the generated identification field CIG_(v)         corresponding to the register used by the operand k are both         read,     -   the equality of the two fields CIP_(k) and CIG_(v) is checked,     -   and if the equality is false, the detection means 17 consider         that the execution chaining of the instructions is not abided         by.

The coercion means 18 enable to modify the result of the instructions when the detection means 17 has informed them of an instructions chaining not abided by. A preferred embodiment is carried out by modifying the functional part PF of the instruction currently executed or the functional part PF of subsequent instructions.

According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection called by <<variable>> a description of which is carried out in relation to FIGS. 40 to 43.

For the implementation of the principle of protection by variable, is chosen in the source of the vulnerable software 2 vs at least one variable which, during the execution of the vulnerable software 2 v, partially defines its state. By state of a software, must be understood the set of pieces of information, at a given moment, necessary to the complete execution of said software, so much so that the absence of such a chosen variable prejudices the complete execution of said software. Is also chosen at least one portion of the source of the vulnerable software 2 vs containing at least one chosen variable.

At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps. This modification is such that during the execution of the protected software 2 p, at least one portion of the first execution part 2 pes which is executed in the data processing system 3, takes into account that at least one chosen variable or at least one copy of chosen variable resides in the unit 6.

FIG. 40 illustrates an example of execution of a vulnerable software 2 v. In this example, during the execution of the vulnerable software 2 v in the data processing system 3, appear:

-   -   at time instant t₁, the assignment of the data X to the variable         V₁, represented by V₁←X,     -   at time instant t₂, the assignment of the value of the variable         V₁ to the variable Y, represented by Y←V₁,     -   and at time instant t₃, the assignment of the value of the         variable V₁ to the variable Z, represented by Z←V₁.

FIG. 41 illustrates an example of a first form of implementation of the invention for which the variable resides in the unit 6. In this example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p, and in presence of the unit 6, appear:

-   -   at time instant t₁, the execution of a transfer command         triggering the transfer of the data X from the data processing         system 3 to the variable v₁, located in the memorization means         15 of the unit 6, said transfer command being represented by         OUT(v₁, X) and corresponding in the end to the assignment of the         data X to the variable v₁,     -   at time instant t₂, the execution of a transfer command         triggering the transfer of the value of the variable v₁ residing         in the unit 6 to the data processing system 3 so as to assign it         to the variable Y, said transfer command being represented by         IN(v₁) and corresponding in the end to the assignment of the         value of the variable v₁ to the variable Y,     -   and at time instant t₃, the execution of a transfer command         triggering the transfer of the value of the variable v₁ residing         in the unit 6 to the data processing system 3 so as to assign it         to the variable Z, said transfer command being represented by         IN(v₁) and corresponding in the end to the assignment of the         value of the variable v₁ to the variable Z.

It should be observed that during the execution of the protected software 2 p, at least one variable resides in the unit 6. Thus, when a portion of the first execution part 2 pes of the protected software 2 p imposes it, and in the presence of the unit 6, the value of said variable residing in the unit 6 is transferred to the data processing system 3 to be used by the first execution part 2 pes of the protected software 2 p, so much so that said portion is executed correctly and that, consequently, the protected software 2 p is completely functional.

FIG. 42 illustrates an example of a second form of implementation of the invention for which a copy of the variable resides in the unit 6. In this example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p, and in the presence of the unit 6, appear:

-   -   at time instant t₁, the assignment of the data X to the variable         V₁ located in the data processing system 3, as well as the         execution of a transfer command triggering the transfer of the         data X from the data processing system 3 to the variable v₁         located in the memorization means 15 of the unit 6, said         transfer command being represented by OUT(v₁, X),     -   at time instant t₂, the assignment of the value of the variable         V₁ to the variable Y,     -   and at time instant t₃, the execution of a transfer command         triggering the transfer of the value of the variable v₁ residing         in the unit 6 to the data processing system 3 so as to affect it         to the variable Z, said transfer command being represented by         IN(v₁).

It should be observed that during the execution of the protected software 2 p, at least one copy of a variable resides in the unit 6. Thus, when a portion of the first execution part 2 pes of the protected software 2 p, imposes it, and in the presence of the unit 6, the value of said copy of variable residing in the unit 6 is transferred to the data processing system 3 to be used by the first execution part 2 pes of the protected software 2 p, so much so that said portion is executed correctly and that, consequently, the protected software 2 p is completely functional.

FIG. 43 illustrates an example of attempt of execution of the protected software 2 p, when the unit 6 is missing. In this example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p:

-   -   at time instant t₁ the execution of the transfer command         OUT(v₁, X) cannot trigger the transfer of the data X to the         variable v₁, taking into account the absence of the unit 6,     -   at time instant t₂, the execution of the transfer command IN(v₁)         cannot trigger the transfer of the value of the variable v₁, to         the data processing system 3, taking into account the absence of         the unit 6,     -   and at time instant t₃, the execution of the transfer command         IN(v₁) cannot trigger the transfer of the value of the variable         v₁ to the data processing system 3, taking into account the         absence of the unit 6.

It therefore appears that in the absence of the unit 6, at least one request by a portion of the first execution part 2 pes to use a variable or a copy of variable residing in the unit 6, cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional.

It should be observed that the data transfers between the data processing system 3 and the unit 6 illustrated in the previous examples use only simple assignments but that the Man of art will know how to combine them with other operations to obtain complex operations such as for instance OUT(v1, 2* X+3) or Z←(5* v1+v2).

According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection, called by << renaming>> a description of which is carried out in relation to FIGS. 80 to 85.

For the implementation of the principle of protection by renaming, are defined:

-   -   a set of dependent functions, whose dependent functions are         liable to be executed, by means of the second execution part 2         peu, in the unit 6, and possibly to transfer data between the         data processing system 3 and the unit 6, said set of dependent         functions can be finite or infinite,     -   a set of triggering commands for said dependent functions, said         triggering commands being liable to be executed in the data         processing system 3 and to trigger in the unit 6, the execution         of corresponding dependent functions,     -   for each triggering command, an order corresponding at least in         part to the information transmitted by the first execution part         2 pes, to the second execution part 2 peu, so as to trigger the         execution of the corresponding dependent function, said order         having the form of at least one argument of the triggering         command,     -   a method of renaming of the orders designed to be used during         the modification of the vulnerable software 2 v, such a method         enabling to rename the orders so as to obtain triggering         commands with renamed orders enabling to conceal the identity of         the corresponding dependent functions,     -   and restoring means 20 designed to be used in the unit 6 during         the usage phase and enabling to restore the initial order, from         the renamed order, so as to restore the dependent function to         execute.

For the implementation of the principle of protection by renaming, are also constructed exploitation means enabling to transform a blank unit 60 into a unit 6 implementing at least the restoring means 20.

For the implementation of the principle of protection by renaming, are also chosen, in the source of the vulnerable software 2 vs:

-   -   at least one algorithmic processing using at least one operand         and returning at least one result,     -   and at least one portion of the source of the vulnerable         software 2 vs, containing at least one chosen algorithmic         processing.

The source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps. This modification is such that, among others:

-   -   during the execution of the protected software 2 p, at least one         portion of the first execution part 2 pes, which is executed in         the data processing system 3, takes into account that the         functionality of at least one chosen algorithmic processing is         executed in the unit 6,     -   during the execution of the protected software 2 p, the second         execution part 2 peu, which is executed in the unit 6, executes         at least the functionality of at least one chosen algorithmic         processing,     -   each chosen algorithmic processing is split so that during the         execution of the protected software 2 p, each chosen algorithmic         processing is executed, by means of the second execution part 2         peu, using dependent functions.

Preferably, each chosen algorithmic processing is split into dependent functions fd_(n) (with n varying from 1 to N), namely:

-   -   -   possibly one or several dependent functions enabling the             placing of one or several operands at the unit 6's disposal,         -   dependent functions, some of which use the operand(s) and             execute in combination the functionality of the chosen             algorithmic processing, using said operand(s),         -   and possibly, one or several dependent functions enabling             the placing by the unit 6, at the data processing system 3's             disposal of the result of the chosen algorithmic processing,

    -   during the execution of the protected software 2 p, the second         execution part 2 peu executes the dependent functions fd_(n),

    -   during the execution of the protected software 2 p, the         dependent functions are triggered by triggering commands with         renamed orders,

    -   and a sequence of the triggering commands is chosen among the         set of sequences allowing the execution of the protected         software 2 p.

The first execution part 2 pes of the protected software 2 p, executed in the data processing system 3, executes triggering commands with renamed orders transferring renamed orders to the unit 6, and triggering in the unit 6 the restoring by means of the restoring means 20, of the orders, and then the execution by means of the second execution part 2 peu, of each of the previously defined dependent functions fd_(n).

In other words, the principle of protection by renaming is carried out by renaming the orders of the triggering commands, so as to obtain triggering commands with renamed orders whose execution in the data processing system 3, triggers in the unit 6, the execution of the dependent functions which would have been triggered by the triggering commands with not-renamed orders, without however the examination of the protected software 2 p enabling to determine the identity of the executed dependent functions.

FIG. 80 illustrates an example of execution of a vulnerable software 2 v. In this example, appears during the execution of the vulnerable software 2 v in the data processing system 3, at a certain time instant, the calculation of Z←F(X, Y) corresponding to the assignment to a variable Z of the result of an algorithmic processing represented by a function F and using the operands X and Y.

FIGS. 81 and 82 illustrate an example of implementation of the invention.

FIG. 81 illustrates the partial implementation of the invention. In this example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6, appear:

-   -   a at time instants t₁, t₂, the execution of the triggering         commands CD₁, CD₂ triggering in the unit 6, the execution by         means of the second execution part 2 peu, of the corresponding         dependent functions fd₁, fd₂ which provide the transfer of data         X, Y from the data processing system 3 to the memorization zones         respectively x, y located in the memorization means 15 of the         unit 6, said triggering commands CD₁, CD₂ being represented         respectively by OUT(X, X), OUT(y, Y),     -   at time instants t₃ to t_(N-1), the execution of the triggering         commands CD₃ to CD_(N-1), triggering in the unit 6, the         execution by means of the second execution part 2 peu, of the         corresponding dependent functions fd₃ to fd_(N-1), said         triggering commands CD₃ to CD_(N-1), being represented         respectively, by TRIG(fd₃) to TRIG(fd_(N-1)). The series of         dependent functions fd₃ to fd_(N-1) executed in combination is         algorithmically equivalent to the function F. More precisely,         the execution of said triggering commands leads to the execution         in the unit 6, of the dependent functions fd₃ to fd_(N-1) which         use the contents of the memorization zones x, y and return the         result in a memorization zone z of the unit 6,     -   and at time instant t_(N), the execution of a triggering command         CD_(N) triggering in the unit 6, the execution by means of the         second execution part 2 peu, of the dependent function fd_(N)         providing the transfer of the result of the algorithmic         processing contained in the memorization zone z of the unit 6 to         the data processing system 3, so as to assign it to the variable         Z, said command being represented by IN(z).

In this example, to completely implement the invention, are chosen as orders, the first argument of the triggering commands OUT and the argument of the triggering commands TRIG and IN. The orders chosen in this way are renamed using the method of renaming of the orders. In this manner, the orders of the triggering commands CD₁ to CD_(N) i.e, x, y, fd₃, fd_(N-1), z are renamed so as to obtain respectively R(x), R(y), R(fd₃) . . . , R(fd_(N-1)), R(z).

FIG. 82 illustrates the complete implementation of the invention. In this example, during the execution in the data processing system 3, of the first execution part 2 pes of the protected software 2 p, and in the presence of the unit 6, appear:

-   -   at time instants t₁, t₂, the execution of the triggering         commands with renamed orders CDCR₁, CDCR₂, transferring to the         unit 6, the renamed orders R(x), R(y) as well as the data X, Y         triggering in the unit 6 the restoring by means of the restoring         means 20, of the renamed orders to restore the orders i.e. the         identity of the memorization zones x, y, and then the execution         by means of the second execution part 2 peu, of the         corresponding dependent functions fd₁, fd₂ which provide the         transfer of the data X, Y from the data processing system 3 to         the memorization zones respectively x, y located in the         memorization means 15 of the unit 6, said triggering commands         with renamed orders CDCR₁, CDCR₂ being represented respectively         by OUT (R(x), X), OUT (R(y), Y),     -   at time instants t₃ to t_(N-1), the execution of the triggering         commands with renamed orders CDCR₃ to CDCR_(N-1), transferring         to the unit 6, the renamed orders R(fd₃) to R(fd_(N-1)),         triggering in the unit 6 the restoring by means of the restoring         means 20, of the orders, i.e. fd₃ to fd_(N-1), and then the         execution by means of the second execution part 2 peu, of the         dependent functions fd₃ to fd_(N-1), said triggering commands         with renamed orders ClCR₃ to CDCR_(N-1) being represented         respectively by TRIG (R(fd₃)) to TRIG R(fd_(N-1))),     -   and at time instant t_(N), the execution of the triggering         command with renamed order CDCR_(N) transferring to the unit 6,         the renamed order R(z) triggering in the unit 6 the restoring by         means of restoring means 20, of the order i.e. the identity of         the memorization zone z, and then the execution by means of the         second execution part 2 peu, of the dependent function fd_(N)         providing the transfer of the result of the algorithmic         processing contained in the memorization zone z of the unit 6 to         the data processing system 3, so as to assign it to the variable         Z, said triggering command with renamed order CDCR_(N) being         represented by IN (R(z)).

In the illustrated example, the triggering commands with renamed orders 1 to N are executed successively. It should be observed that two improvements can be effected:

-   -   The first improvement concerns the case where several         algorithmic processings are remoted to the unit 6 and at least         the result of one algorithmic processing is used by another         algorithmic processing. In this case, some triggering commands         with renamed orders used for the transfer, can possibly be         removed.     -   The second improvement aims at opting for a pertinent sequence         of the triggering commands with renamed orders among the set of         sequences allowing the execution of the protected software 2 p.         In this respect, it is preferable to choose a sequence of the         triggering commands with renamed orders which dissociate         temporally the execution of the dependent functions, by         intercalating, between them portions of code executed in the         data processing system 3 and including or not triggering         commands with renamed orders used of the determination of other         data. FIGS. 83 and 84 illustrate the principle of such an         embodiment.

FIG. 83 shows an example of execution of a vulnerable software 2 v. In this example, appears, during the execution of the vulnerable software 2 v, in the data processing system 3, the execution of two algorithmic processings leading to the determination of Z and Z′, such as Z←F (X, Y) and Z′←F′(X′, Y′).

FIG. 84 illustrates an example of implementation of the process according to the invention for which the two algorithmic proccesings chosen in FIG. 83 are remoted to the unit 6. According to such an example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6, appear, as explained above, the execution of the triggering commands with renamed orders CDCR₁ to CDCR_(N) corresponding to the determination of Z and the execution of the triggering commands with renamed orders CDCR′₁ to CDCR′_(M) corresponding to the determination of Z′. As illustrated, the triggering commands with renamed orders CDCR₁ to CDCR_(N) are not executed consecutively, inasmuch as the triggering commands with renamed orders CDCR′₁ to CDCR′_(M) as well as other portions of code are intercalated. In the example, the following sequence is thus carried out: CDCR₁, portion of intercalated code, CDCR′₁, CDCR₂, portion of intercalated code, CDCR′₂, CDCR′₃, portion of intercalated code, CDCR′₄, CDCR₃, CDCR₄, . . . , CDCR_(N), CDCR′_(M).

It should be observed that, during the execution of a portion of the first execution part 2 pes of the protected software 2 p, the triggering commands with renamed orders executed in the data processing system 3, trigger in the unit 6 the restoring of the identity of the corresponding dependent functions and then their execution. Thus, it appears that in the presence of the unit 6, said portion is executed correctly and that, consequently, the protected software 2 p is completely functional,

FIG. 85 illustrates an example of an attempt of execution of the protected software 2 p, when the unit 6 is missing. In this example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p, at every time instant, the execution of a triggering command with renamed order can trigger neither the restoring of the order nor the execution of the corresponding dependent function, because of the absence of the unit 6. The value to assign to the variable Z cannot therefore be determined correctly.

It therefore appears, that in the absence of the unit 6, at least one request by a portion of the first execution part 2 pes of the protected software 2 p, to trigger the restoring of an order and the execution of a dependent function in the unit 6 cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional.

Thanks to this principle of protection by renaming, the examination in the protected software 2 p of the triggering commands with renamed orders does not enable to determine the identity of the dependent functions which have to be executed in the unit 6. It should be observed that the renaming of the orders is carried out during the modification of the vulnerable 2 v to a protected software 2 p.

According to a variant of the principle of protection by renaming, is defined for at least one dependent function, a family of dependent functions algorithmically equivalent but triggered by different triggering commands with renamed orders. According to this variant, for at least one algorithmic processing using dependent functions, said algorithmic processing is split into dependent functions which for at least one of them is replaced with a dependent function of the same family instead of keeping several occurrences of the same dependent function. To this end, triggering commands with renamed orders are modified to take into account the replacement of dependent functions with dependent functions of the same family. In other words, two dependent functions of the same family have different orders and consequently different triggering commands with renamed orders and, it is not possible, by examining the protected software 2 p, to discover that the dependent functions called are algorithmically equivalent.

According to a first preferred embodiment of the variant of the principle of protection by renaming, is defined for at least one dependent function, a family of algorithmically equivalent dependent functions, by concatenating a noise field to the information defining the functional part of the dependent function to execute in the unit 6.

According to a second preferred embodiment of the variant of the principle of protection by renaming, is defined for at least one dependent function, a family of algorithmically equivalent dependent functions by using identification fields.

According to a preferred variant embodiment of the principle of protection by renaming, is defined as method of renaming of the orders a ciphering method enabling to cipher the orders to transform them into renamed orders. Remember that the renaming of the orders is carried out during the phase of protection P. For this preferred variant, the restoring means 20 are means implementing a deciphering method enabling to decipher the renamed orders and thus to restore the identity of the dependent functions to execute in the unit 6. Said restoring means are implemented in the unit 6 and can be of software or hardware nature. Said restoring means 20 are appealed to during the usage phase U each time a triggering command with renamed order is executed in the data processing system 3 with the intention of triggering in the unit 6, the execution of a dependent function.

According to another advantageous characteristic of the invention, the protection process aims at implementing a principle of protection called by (<<conditional branch >> a description of which is carried out in relation to FIGS. 90 to 92.

For the implementation of the principle of protection by conditional branch, is chosen in the source of the vulnerable software 2 vs, at least one conditional branch BC. Is also chosen at least one portion of the source of the vulnerable software 2 vs containing at least one chosen conditional branch BC.

At least one chosen portion of the source of the vulnerable software 2 vs is then modified, so as to obtain the source of the protected software 2 ps. This modification is such that, during the execution of the protected software 2 p, among others:

-   -   at least one portion of the first execution part 2 pes, which is         executed in the data processing system 3, takes into account         that the functionality of at least one chosen conditional branch         BC is executed in the unit 6,     -   and the second execution part 2 peu, which is executed in the         unit 6, executes at least the functionality of at least one         chosen conditional branch BC and puts at the data processing         system 3's disposal, a piece of information enabling the first         execution part 2 pes, to carry on its execution at the chosen         spot.

The first execution part 2 pes of the protected software 2 p, executed in the data processing system 3, executes conditional branches commands, triggering in the unit 6, the execution by means of the second execution part 2 peu, of remoted conditional branches be whose functionality is equivalent to the functionality of the chosen conditional branches BC.

FIG. 90 illustrates an example of execution of a vulnerable software 2 v. In this example, appears, during the execution of the vulnerable software 2 v in the data processing system 3 at a certain time instant, a conditional branch BC indicating to the vulnerable software 2 v the spot where to carry on its execution, i.e, one of the three possible spots B₁, B₂ or B₃. It must be understood that the conditional branch BC takes the decision to carry on the execution of the software at spot B₁, B₂ or B₃.

FIG. 91 illustrates an example of implementation of the invention for which the conditional branch chosen to be remoted to the unit 6, corresponds to the conditional branch BC. In this example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p and in the presence of the unit 6, appear:

-   -   at time instant t₁, the execution of the conditional branch         command CBC₁, triggering in the unit 6, the execution by means         of the second execution part 2 peu, of the remoted conditional         branch be algorithmically equivalent to the conditional branch         BC, said conditional branch command CBC₁, being represented by         TRIG(be),     -   and at time instant t₂, the transfer from the unit 6 to the data         processing system 3, of the information enabling the first         execution part 2 pes, to carry on its execution at the chosen         spot, i.e. the spot B₁ B₂ or B₃.

It should be observed that during the execution of a portion of the first execution part 2 pes of the protected software 2 p, the conditional branches commands executed in the data processing system 3 trigger the execution of the corresponding remoted conditional branches in the unit 6. Thus, it appears, that in the presence of the unit 6, said portion is executed correctly and that, consequently, the protected software 2 p is completely functional.

FIG. 92 illustrates an example of an attempt of execution of the protected software 2 p, when the unit 6 is missing In this example, during the execution in the data processing system 3 of the first execution part 2 pes of the protected software 2 p:

-   -   at time instant t₁, the execution of the conditional branch         command CBC₁, cannot trigger the execution of the remoted         conditional branch be, taking into account the absence of the         unit 6,     -   and at time instant t₂, the transfer of the piece of information         enabling the first execution part 2 pes to carry on at the         chosen spot fails taking into account the absence of the unit 6.

It therefore appears that in the absence of the unit 6, at least one request by a portion of the first execution part 2 pes to trigger the execution of a remoted conditional branch in the unit 6, cannot be fulfilled correctly, so that at least said portion is not executed correctly and that, consequently, the protected software 2 p is not completely functional.

In the previous description in relation to FIGS. 90 to 92, the subject of the invention aims at remoting in the unit 6, a conditional branch. Naturally, a preferred embodiment of the invention can be carried out by remoting in the unit 6, a series of conditional branches whose overall functionality is equivalent to all the functionalities of the conditional branches which have been remoted. The execution of the overall functionality of said series of remoted conditional branches leads to the placing at the data processing system 3's disposal of a piece of information enabling the first execution part 2 pes of the protected software 2 p to carry on its execution at the chosen spot.

In the previous description in relation to FIGS. 40 to 92, four different principles of software protection have been made explicit generally speaking independently of one another. The protection process in accordance with the invention, is implemented by using the principle of protection by detection and coercion, possibly combined with one or several other principles of protection. In the case where the principle of protection by detection and coercion is complemented by the implementation of at least another principle of protection, the principle of protection by detection and coercion is advantageously complemented by the principle of protection by variable and/or the principle of protection by renaming and/or the principle of protection by conditional branch.

And when the principle of protection by renaming is also implemented, it can be complemented in its turn by the principle of protection by conditional branch.

According to the preferred variant embodiment, the principle of protection by detection and coercion is complemented by the principle of protection by variable and by the principle of protection by renaming, complemented by the principle of protection by conditional branch.

In the case where a principle of protection is applied, in complement to the principle of protection by detection and coercion, its previously carried out description must include, to take into account its combined implementation, the following modifications:

-   -   the notion of vulnerable software must be understood as software         vulnerable towards the principle of protection being described,         Thus, in the case where a principle of protection has already         been applied to the vulnerable software, the expression         “vulnerable software” must be interpreted by the reader as the         expression “software protected by the principle(s) of protection         already applied”;     -   the notion of protected software must be understood as software         protected towards the principle of protection being described.         Thus, in the case where a principle of protection has already         been applied, the expression “protected software” must be         interpreted by the reader as the expression “new version of the         protected software”;     -   and the choice(s) made for the implementation of the principle         of protection being described must take into account the         choice(s) made for the implementation of the principle(s) of         protection already applied.

The rest of the description enables to have a better understanding of the implementation of the protection process in accordance with the invention. This protection process according to the invention is composed, as shown more precisely in FIG. 100:

-   -   first, of a protection phase P during which a vulnerable         software 2 v is modified to become a protected software 2 p,     -   then, of a usage phase U during which the protected software 2 p         is used. During this usage phase U:         -   in the presence of the unit 6 and each time a portion of the             first execution part 2 pes executed in the data processing             system 3 imposes it, an imposed functionality is executed in             the unit 6, so that said portion is executed correctly and             that, consequently, the protected software 2 p is completely             functional,         -   in the absence of the unit 6 and in spite of the request by             a portion of the first execution part 2 pes to execute a             functionality in the unit 6, said request cannot be             fulfilled correctly, so that at least said portion is not             executed correctly and that consequently, the protected             software 2 p is not completely functional,     -   and possibly of a phase of refilling R during which is credited         at least one additional usage of a functionality protected by         the implementation of the second preferred variant embodiment of         the principle of protection by detection and coercion using as         characteristic, a variable of measurement.

The protection phase P can be split into two protection sub-phases P₁ and P₂. The first one, called prior protection sub-phase P₁, takes place independently of the vulnerable software 2 v to protect. The second one, called subsequent protection sub-phase P₂ is dependent of the vulnerable software 2 v to protect, It should be observed that the prior protection sub-phase P₁ and the subsequent protection sub-phase P₂ can be carried out advantageously by two different persons or two different teams. For instance, the prior protection sub-phase P₁ can be carried out by a person or a company providing the development of software protection systems, while the subsequent protection sub-phase P₂ can be carried out by a person or a company providing the development of software requiring to be protected. Naturally, it is clear that the prior protection sub-phase P₁ and the subsequent protection sub-phase P₂ can also be carried out by the same 3 person or team.

The prior protection sub-phase P₁ is composed of several stages S₁₁, . . . , S₁₁ for each of which various tasks or jobs are to be carried out.

The first stage of this prior protection sub-phase P₁ is called “definitions stage S₁₁,”. During this definitions stage S₁₁:

-   -   are chosen:         -   the type of the unit 6. As an illustrative example, can be             chosen as unit 6, a chip card reader 8 and the chip card 7             associated to the reader,         -   and the transfer means 12, 13 designed to be implemented             respectively in the data processing system 3 and in the unit             6, during the usage phase U and capable of providing the             transfer of data between the data processing system 3 and             the unit 6,     -   are defined:         -   at least one software execution characteristic, liable to be             monitored at least in part in a unit 6,         -   at least one criterion to abide by for at least one software             execution characteristic,         -   detection means 17 to implement in a unit 6 and enabling to             detect that at least one software execution characteristic             does not abide by at least one associated criterion,         -   and coercion means 18 to implement in a unit 6 and enabling             to inform the data processing system 3 and/or modify the             execution of a software when at least one criterion is not             abided by,     -   and in the case where the protection process according to the         invention implements the principle of protection by detection         and coercion using as characteristic a variable of measurement         of the software execution, are also defined:         -   as software execution characteristic liable to be monitored,             a variable of measurement of the usage of a functionality of             a software,         -   as criterion to abide by, at least one threshold associated             to each variable of measurement,         -   and actualization means enabling to update at least one             variable of measurement,     -   and in the case where the protection process according to the         invention also implements a first preferred variant embodiment         of the principle of protection by detection and coercion using         as characteristic a variable of measurement of the software         execution, are also defined:         -   for at least one variable of measurement, several associated             thresholds,         -   and different coercion means corresponding to each of said             thresholds,     -   and in the case where the protection process according to the         invention implements a second preferred variant embodiment of         the principle of protection by detection and coercion using as         characteristic a variable of measurement of the software         execution, are also defined refilling means enabling to add at         least one additional usage to at least one software         functionality monitored by a variable of measurement,     -   and in the case where the protection process according to the         invention implements the principle of protection by detection         and coercion using as characteristic a profile of software         usage, are also defined:         -   as software execution characteristic liable to be monitored,             a profile of software usage,         -   and as criterion to abide by, at least one feature of             software execution,     -   and in the case where the protection process according to the         invention implements the principle of protection by detection         and coercion using as feature of execution to abide by, the         monitoring of the execution chaining, are also defined:         -   an instructions set whose instructions are liable to be             executed in the unit 6,         -   a set of instructions commands for said instructions set,             said instructions commands being liable to be executed in             the data processing system 3 and to trigger in the unit 6             the execution of the instructions,         -   as profile of usage, the chaining of the instructions,         -   as feature of execution, an expected chaining for the             execution of the instructions,         -   as detection means 17, means enabling to detect that the             chaining of the instructions does not correspond to the             expected one,         -   and as coercion means 18, means enabling to inform the data             processing system 3 and/or to modify the functioning of the             portion of protected software 2 p when the chaining of the             instructions does not correspond to the expected one,     -   and in the case where the protection process according to the         invention implements a preferred variant embodiment of the         principle of protection by detection and coercion using as         feature of execution to abide by, the monitoring of the         execution chaining, are also defined:         -   as instructions set, an instructions set whose at least some             instructions work with registers and use at least one             operand with the intention of returning a result,         -   for at least some of the instructions working with             registers:             -   a part PF defining the functionality of the instruction,             -   and a part defining the expected chaining for the                 execution of the instructions and including bits fields                 corresponding to:                 -   an identification field of the instruction CII,                 -   and for each operand of the instruction:                 -    a flag field CD_(k),                 -    and an expected identification field CIP_(k) of the                     operand,         -   for each register belonging to the exploitation means and             used by the instructions set, a generated identification             field CIG_(v) in which is automatically memorized the             identification of the last instruction which has returned             its result in said register,         -   as detection means 17, means enabling, during the execution             of an instruction, for each operand, when the flag field             CD_(k) imposes it, to check the equality of the generated             identification field CIG_(v), corresponding to the register             used by said operand, and the expected identification field             CIP_(k) of the origin of said operand,         -   and as coercion means 18, means enabling to modify the             result of the instructions, if at least one of the checked             equalities is false.     -   and in the case where the protection process according to the         invention implements the principle of protection by renaming,         are also defined:         -   as a triggering command, an instruction command,         -   as a dependent function, an instruction,         -   as an order, at least one argument for a triggering command,             corresponding at least in part to the information             transmitted by the data processing system 3 to the unit 6,             so as to trigger the execution of the corresponding             dependent function,         -   a method of renaming of the orders enabling to rename the             orders so as to obtain triggering commands with renamed             orders,         -   and restoring means 20 designed to be used in the unit 6             during the usage phase U, and enabling to restore the             dependent function to execute, from the renamed order,     -   and in the case where the protection process according to the         invention implements a variant of the principle of protection by         renaming, is also defined for at least one dependent function, a         family of dependent functions algorithmically equivalent, but         triggered by triggering commands whose renamed orders are         different     -   and in the case where the protection process according to the         invention implements one of the preferred embodiments of the         variant of the principle of protection by renaming, are also         defined for at least one dependent function, a family of         algorithmically equivalent dependent functions:         -   by concatenating a field of noise to the information             defining the functional part of the dependent function to             execute in the unit 6,         -   or by using the identification field of the instruction CII             and the expected identification fields CIP_(k) of the             operands.     -   and in the case where the protection process according to the         invention implements a preferred variant of the principle of         protection by renaming, are also defined:         -   as method of renaming of the orders, a ciphering method to             cipher the orders,         -   and as restoring means 20, means implementing a deciphering             method to decipher the renamed orders and thus restore the             identity of the dependent functions to execute in the unit             6.

During the prior protection sub-phase P₁, the definitions stage S₁₁, is followed by a stage called “construction stage S₁₂”. During such a stage S₁₂, are constructed the transfer means 12, 13 and the exploitation means corresponding to the definitions of the definitions stage S₁₁.

During this construction stage S₁₂, are therefore carried out:

-   -   the construction of the transfer means 12, 13 enabling, during         the usage phase U, the transfer of data between the data         processing system 3 and the unit 6,     -   the construction:         -   of the exploitation means enabling the unit 6, during the             usage phase U to also implement the detection means 17 and             the coercion means 18,         -   and possibly of the exploitation means enabling the unit 6,             during the usage phase U to also implement the actualization             means,         -   and possibly of the exploitation means enabling the unit 6,             during the usage phase U to also implement the refilling             means,         -   and possibly of the exploitation means also enabling the             unit 6, during the usage phase U to execute the instructions             of the instructions set,     -   and when the principle of protection by renaming is also         implemented, the construction of the exploitation means enabling         the unit 6, during the usage phase U to also implement the         restoring means.

The construction of the exploitation means is carried out classically, through a program development unit and taking into account the definitions intervened in the definitions stages S₁₁. Such a unit is described in the rest of the description in FIG. 110.

During the prior protection sub-phase P₁, the construction stage S₁₂ can be followed by a stage called “pre-customization stage S₁₃”. During this pre-customization stage S₁₃, at least a part of the transfer means 13 and/or the exploitation means are uploaded to at least one blank unit 60, with the intention of obtaining at least one pre-customized unit 66. It should be observed that part of the exploitation means, once transferred to a pre-customized unit 66, is no longer directly accessible outside said pre-customized unit 66. The transfer of the exploitation means to a blank unit 60 can be carried out through an adapted pre-customization unit, which is described in the rest of the description in FIG. 120. In the case of a pre-customized unit 66, constituted by a chip card 7 and its reader 8, the pre-customization concerns only the chip card 7.

During the prior protection sub-phase P₁, after the definitions stage S₁₁ and, possibly after the construction stage S₁₂, a stage called “tools making stage S₁₄” can take place. During this tools making stage S₁₄ are made tools enabling to help generate protected software or automate the protection of software. Such tools enable:

-   -   to help choose or to choose automatically in the vulnerable         software 2 v to protect:         -   the execution characteristic(s) to monitor and, possibly,             the algorithmic processing(s) liable to be split into             instructions remotable in the unit 6,         -   the portion(s) liable to be modified,         -   and when the principle of protection by variable is also             implemented, the variable(s) liable to be remoted in the             unit 6,         -   and when the principle of protection by renaming is also             implemented, the algorithmic processing(s) liable to be             split into dependent functions remotable in the unit 6 and             for which the orders of the triggering commands can be             renamed,         -   and when the principle of protection by conditional branch             is also implemented, the conditional branch(es) whose             functionality is liable to be remoted in the unit 6,     -   and, possibly, to help generate protected software or to         automate the protection of software.

These different tools can be carried out independently or in combination and each tool can have various forms, such as for instance pre-processor, assembler, compiler, etc.

The prior protection sub-phase P₁ is followed by a subsequent protection sub-phase P₂ which depends on the vulnerable software 2 v to protect. This subsequent protection sub-phase P₂ is composed of several stages as well. The first stage corresponding to the implementation of the principle of protection by detection and coercion is called “creation stage S₂₁”. During this creation stage S₂₁, the choices made during the definition stage S₁₁ are used. With the aid of said choices and possibly of tools constructed during the tools making stage S₁₄, the protected software 2 p is created:

-   -   a by choosing at least one software execution characteristic to         monitor, among the software execution characteristics liable to         be monitored,     -   a by choosing at least one criterion to abide by for at least         one chosen software execution characteristic,     -   by choosing, at least one algorithmic processing which, during         the execution of the vulnerable software 2 v, uses at least one         operand and enables to obtain at least one result, and for which         at least one chosen software execution characteristic, is to be         monitored,     -   by choosing at least one portion of the source of the vulnerable         software 2 vs containing, at least one chosen algorithmic         processing,     -   by producing the source of the protected software 2 ps from the         source of the vulnerable software 2 vs, by modifying at least         one chosen portion of the source of the vulnerable software 2 vs         to obtain at least one modified portion of the source of the         protected software 2 ps, this modification being such that:         -   during the execution of the protected software 2 p a first             execution part 2 pes is executed in the data processing             system 3 and a second execution part 2 peu is executed in a             unit 6, obtained from the blank unit 60 after upload of             information,         -   the second execution part 2 peu executes at least the             functionality of at least one chosen algorithmic processing,         -   and during the execution of the protected software 2 p, at             least one chosen execution characteristic is monitored by             means of the second execution part 2 peu and the fact that a             criterion is not abided by leads to a modification of the             execution of the protected software 2 p,     -   and by producing:         -   a first object part 2 pos of the protected software 2 p,             from the source of the protected software 2 ps, said first             object part 2pos being such that during the execution of the             protected software 2 p, appears a first execution part 2 pes             which is executed in the data processing system 3 and whose             at least a portion takes into account that at least one             chosen software execution characteristic is monitored,         -   and a second object part 2 pou of the protected software 2             p, containing the exploitation means implementing the             detection means 17 and the coercion means 18, said second             object part 2 pou being such that, after upload to the blank             unit 60 and during the execution of the protected software 2             p, appears the second execution part 2 peu by means of which             at least one chosen software execution characteristic is             monitored and by means of which the fact that a criterion is             not abided by leads to a modification of the execution of             the protected software 2 p.

Naturally, the principle of protection by detection and coercion according to the invention can be applied directly during the development of a new software without requiring the prior realization of a vulnerable software 2 v. In this way, a protected software 2 p is obtained directly.

For the implementation of the principle of protection by detection and coercion using as characteristic a variable of measurement of the software execution, the protected software 2 p is modified:

-   -   by choosing as software execution characteristic to monitor, at         least one variable of measurement of the usage of at least one         functionality of a software,     -   by choosing:         -   at least one functionality of the protected software 2 p             whose usage is liable to be monitored using a variable of             measurement,         -   at least one variable of measurement used to quantify the             usage of said functionality,         -   at least one threshold associated to a chosen variable of             measurement corresponding to a limit of usage of said             functionality,         -   and at least one method of update of a chosen variable of             measurement depending on the usage of said functionality,     -   and by modifying at least one chosen portion of the source of         the protected software 2 ps, this modification being such that,         during the execution of the protected software 2 p, the variable         of measurement is actualized by means of the second execution         part 2 peu depending on the usage of said functionality, and at         least one threshold crossing is taken into account.

For the implementation of a first preferred variant embodiment of the principle of protection by detection and coercion using, as characteristic, a variable of measurement, the protected software 2 p is modified:

-   -   by choosing in the source of the protected software 2 ps, at         least one chosen variable of measurement to which must be         associated several thresholds corresponding to different limits         of usage of the functionality,     -   by choosing at least two thresholds associated to the chosen         variable of measurement,     -   and by modifying at least one chosen portion of the source of         the protected software 2 ps, this modification being such that,         during the execution of the protected software 2 p, the         crossings of the various thresholds are taken into account         differently, by means of the second execution part 2 peu.

For the implementation of a second preferred variant embodiment of the principle of protection by detection and coercion using as characteristic, a variable of measurement, the protected software 2 p is modified:

-   -   by choosing in the source of the protected software 2 ps, at         least one chosen variable of measurement enabling to limit the         usage of a functionality and which must be able to be credited         with at least one additional usage,     -   and by modifying at least one chosen portion, this modification         being such that during a phase called of refilling, at least one         additional usage of at least one functionality corresponding to         a chosen variable of measurement can be credited.

For the implementation of the principle of protection by detection and coercion using as characteristic, a profile of software usage, the protected software 2 p is modified:

-   -   by choosing as software execution characteristic to monitor at         least one profile of software usage,     -   by choosing at least one feature of execution by which at least         one chosen profile of usage must abide,     -   and by modifying at least one chosen portion of the source of         the protected software 2 ps, this modification being such that,         during the execution of the protected software 2 p, the second         execution part 2 peu abides by all the chosen features of         execution.

For the implementation of the principle of protection by detection and coercion using as feature of execution to abide by, the monitoring of the execution chaining, the protected software 2 p is modified:

-   -   by modifying at least one chosen portion of the source of the         protected software 2 ps, this modification being such that:         -   at least one chosen algorithmic processing is split so that             during the execution of the protected software 2 p, said             algorithmic processing is executed by means of the second             execution part 2 peu, using instructions,         -   for at least one chosen algorithmic processing, instructions             commands are 3 integrated to the source of the protected             software 2 ps, so that during the execution of the protected             software 2 p, each instruction command is executed by the             first execution part 2 pes and triggers in the unit 6, the             execution by means of the second execution part 2 peu, of an             instruction,         -   a sequence of the instructions commands is chosen among the             set of sequences allowing the execution of the protected             software 2 p,         -   and the chaining by which must abide at least some of the             instructions during their execution in the unit 6 is             specified.

During the subsequent protection sub-phase P₂, and when at least another principle of protection is applied in addition to the principle of protection by detection and coercion, a “modification stage S₂₂” takes place. During this modification stage S₂₂, are used the definitions intervened in the definitions stage S₁₁. Using said definitions and possibly tools constructed during the tools making stage S₁₄, the protected software 2 p is modified to allow the implementation of the principles of protection according to one of the arrangements herebefore defined.

When the principle of protection by variable is implemented, the protected software 2 p is modified:

-   -   by choosing at least one variable used in at least one chosen         algorithmic processing, which during the execution of the         protected software 2 p, partially defines the state of the         protected software 2 p,     -   by modifying at least one chosen portion of the source of the         protected software 2 ps, this modification being such that         during the execution of the protected software 2 p, at least one         chosen variable or at least one copy of chosen variable resides         in the unit 6,     -   and by producing:         -   the first object part 2 pos of the protected software 2 p,             said first object part 2 pos being such that during the             execution of the protected software 2 p, at least one             portion of the first execution part 2 pes takes also into             account that at least one variable or at least one copy of             variable resides in the unit 6,         -   and the second object part 2 pou of the protected software 2             p, said second object part 2 pou being such that, after             upload to the unit 6 and during the execution of the             protected software 2 p, appears the second execution part 2             peu by means of which at least one chosen variable, or at             least one copy of chosen variable resides too in the unit 6.

When the principle of protection by renaming is implemented, the protected software 2 p is modified:

-   -   by choosing in the source of the protected software 2 ps,         triggering commands,     -   by modifying at least one chosen portion of the source of the         protected software 2 ps by renaming the orders of the chosen         triggering commands, so as to conceal the identity of the         corresponding dependent functions,     -   and by producing:         -   the first object part 2 pos of the protected software 2 p,             said first object part 2 pos being such that during the             execution of the protected software 2 p, the triggering             commands with renamed orders are executed,         -   and the second object part 2 pou of the protected software 2             p containing the exploitation means also implementing the             restoring means 20, said second object part 2 pou being such             that, after upload to the unit 6 and during the execution of             the protected software 2 p, the identity of the dependent             functions whose execution is triggered by the first             execution part 2 pes is restored by means of the second             execution part 2 peu, and the dependent functions are             executed by means of the second execution part 2 peu.

For the implementation of a variant of the principle of protection by renaming, the protected software 2 p is modified:

-   -   by choosing, in the source of the protected software 2 ps at         least one triggering command with renamed order,     -   and by modifying at least one chosen portion of the source of         the protected software 2 ps by replacing at least the renamed         order of one chosen triggering command with renamed order, with         another renamed order, triggering a dependent function of the         same family.

When the principle of protection by conditional branch is implemented, the protected software 2 p is modified:

-   -   by choosing, in the source of the protected software 2 ps, at         least one conditional branch carried out in at least one chosen         algorithmic processing,     -   by modifying at least one chosen portion of the source of the         protected software 2 ps, this modification being such that         during the execution of the protected software 2 p, the         functionality of at least one chosen conditional branch is         executed, by means of the second execution part 2 peu, in the         unit 6,     -   and by producing:         -   the first object part 2 pos of the protected software 2 p,             said first object part 2 pos being such that during the             execution of the protected software 2 p, the functionality             of at least one chosen conditional branch is executed in the             unit 6,         -   and the second object part 2 pou of the protected software 2             p, said second object part 2 pou being such that, after             upload to the unit 6 and during the execution of the             protected software 2 p, appears the second execution part 2             peu by means of which the functionality of at least one             chosen conditional branch is executed,

For the implementation of a preferred embodiment of the principle of protection by conditional branch, the protected software 2 p is modified:

-   -   by choosing, in the source of the protected software 2 ps, at         least one series of chosen conditional branches,     -   by modifying at least one chosen portion of the source of the         protected software 2 ps, this modification being such that         during the execution of the protected software 2 p, the overall         functionality of at least one chosen series of conditional         branches is executed, by means of the second execution part 2         peu, in the unit 6,     -   and by producing.         -   the first object part 2 pos of the protected software 2 p,             said first object part 2 pos being such that during the             execution of the protected software 2 p, the functionality             of at least one chosen series of conditional branches is             executed in the unit 6,         -   and the second object part 2 pou of the protected software 2             p, said second object part 2 pou being such that, after             upload to the unit 6 and during the execution of the             protected software 2 p, appears the second execution part 2             peu by means of which the overall functionality of at least             one chosen series of conditional branches is executed,

Naturally, the principles of protection according to the invention can be applied directly during the development of a new software without requiring the prior carrying out of intermediate protected pieces of software. In this way, the creation stage S₂₁, and the modification stage S₂₂ can be carried out concomitantly so as to obtain directly the protected software 2 p.

During the subsequent protection sub-phase P₂, after the creation stage S₂₁ of the protected software 2 p, and possibly after the modification stage S₂₂, a stage called “customization stage S₂₃” takes place. During this customization stage S₂₃, the second object part 2 pou containing the exploitation means is uploaded to at least one blank unit 60, with the intention of obtaining at least one unit 6, or a part of the second object part 2 pou possibly containing the exploitation means is uploaded to at least one pre-customized unit 66, with the intention of obtaining at least one unit 6. The uploading of this customization information enables to make operational at least one unit 6. It should be observed that part of said information, once transferred to a unit 6, is not directly accessible outside said unit 6. The transfer of the customization information to a blank unit 60 or a pre-customized unit 66 can be carried out through an adapted customization unit which is described in the rest of the description in FIG. 150. In the case of a unit 6, constituted by a chip card 7 and its reader 8, the customization concerns only the chip card 7.

For the implementation of the protection phase P, various technical means are described more precisely in relation to FIGS. 110, 120, 130, 140 and 150.

FIG. 110 illustrates an embodiment of a system 25 enabling to implement the construction stage S₁₂ which takes into account the definitions intervened during the definitions stage S₁₁, and during which are constructed the transfer means 12, 13 and possibly, the exploitation means intended for the unit 6. Such a system 25 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpretors, debuggers and link editors.

FIG. 120 illustrates an embodiment of a pre-customization unit 30 enabling to upload at least in part the transfer means 13 and/or the exploitations means to at least one blank unit 60 with the intention of obtaining a pre-customized unit 66. Said pre-customization unit 30 includes reading and writing means 31 enabling to electrically pre-customize, a blank unit 60 so as to obtain a pre-customized unit 66 to which the transfer means 13 and/or the exploitations means have been uploaded. The pre-customization unit 30 can also include physical customization means 32 of the blank unit 60 which can for instance, have the form of a printer. In the case where the unit 6 is constituted by a chip card 7 and its reader 8, the pre-customization generally concerns only the chip card 7.

FIG. 130 illustrates an embodiment of a system 35 enabling to carry out the making of the tools enabling to help generate protected software or to automate software protection. Such a system 35 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpreters, debuggers and link editors.

FIG. 140 illustrates an embodiment of a system 40 enabling to create directly a protected software 2 p or to modify a vulnerable software 2 v with the intention of obtaining a protected software 2 p. Such a system 40 includes a program development unit or workstation which has classically the form of a computer comprising a system unit, a screen, peripherals such as keyboard-mouse, and including, among others, the following programs: file editors, assemblers, pre-processors, compilers, interpretors, debuggers and link editors, as well as tools enabling to help generate protected software or to automate software protection.

FIG. 150 illustrates an embodiment of a customization unit 45 enabling to upload the second object part 2 pou to at least one blank unit 60 with the intention of obtaining at least one unit 6 or to upload a part of the second object part 2 pou to at least one pre-customized unit 66 with the intention of obtaining at least one unit 6. Said customization unit 45 includes reading and writing means 46 enabling to electrically customize, at least one blank unit 60 or at least one pre-customized unit 66, so as to obtain at least one unit 6. At the close of this customization, a unit 6 includes the information necessary to the execution of the protected software 2 p. The customization unit 45 can also include physical customization means 47 for at least one unit 6 which can for instance, have the form of a printer, In the case where a unit 6 is constituted by a chip card 7 and its reader 8, the customization generally concerns only the chip card 7.

The protection process according to the invention can be implemented with the following improvements:

-   -   It can be planned to use jointly several processing and         memorizing units between which is divided out the second object         part 2 pou of the protected software 2 p so that their joint use         enables to execute the protected software 2 p, the absence of at         least one of said processing and memorizing units preventing the         usage of the protected software 2 p.     -   In the same way, after the pre-customization stage S₃ and during         customization stage S₂₃, the part of the second object part 2         pou necessary to transform the pre-customized unit 66 into a         unit 6 can be contained in a processing and memorizing unit used         by the customization unit 45 so as to limit the access to said         part of the second object part 2 pou. Naturally, said part of         the second object part 2 pou can be divided out between several         processing and memorizing units so that said part of the second         object part 2 pou is accessible only during the joint use of         said processing and memorizing units. 

1. A process to protect, using at least one blank unit (60) including at least memorization means (15) and processing means (16), a vulnerable software (2 v) against its unauthorized usage, said vulnerable software (2 v) being produced from a source (2 vs) and working on a data processing system (3), said protection process comprising: during a protection phase (P): defining: at least one software execution characteristic, liable to be monitored at least in part in a unit (6), at least one criterion to abide by for at least one software execution characteristic, detection means (17) to implement in a unit (6) and enabling to detect that at least one software execution characteristic does not abide by at least one associated criterion, and coercion means (18) to implement in a unit (6) and enabling to inform the data processing system (3) and/or modify the execution of a software when at least one criterion is not abided by, constructing exploitation means enabling to transform the blank unit (60) into a unit (6) able to implement the detection means (17) and the coercion means (18), creating a protected software (2 p): by choosing at least one software execution characteristic to monitor, among the software execution characteristics liable to be monitored, by choosing at least one criterion to abide by for at least one chosen software execution characteristic, by choosing, at least one algorithmic processing which, during the execution of the vulnerable software (2 v), uses at least one operand and enables to obtain at least one result, and for which at least one chosen software execution characteristic, is to be monitored, by choosing at least one portion of the source of the vulnerable software (2 vs) containing, at least one chosen algorithmic processing, by producing the source of the protected software (2 ps) from the source of the vulnerable software (2 vs), by modifying at least one chosen portion of the source of the vulnerable software (2 vs) to obtain at least one modified portion of the source of the protected software (2 ps), this modification being such that: during the execution of the protected software (2 p) a first execution part (2 pes) is executed in the data processing system (3) and a second execution part (2 peu) is executed in a unit (6), obtained from the blank unit (60) after upload of information, the second execution part (2 peu) executes at least the functionality of at least one chosen algorithmic processing, and during the execution of the protected software (2 p), at least one chosen execution characteristic is monitored by means of the second execution part (2 peu) and the fact that a criterion is not abided by leads to a modification of the execution of the protected software (2 p), and by producing: a first object part (2 pos) of the protected software (2 p), from the source of the protected software (2 ps), said first object part (2 pos) being such that during the execution of the protected software (2 p), appears a first execution part (2 pes) which is executed in the data processing system (3) and whose at least a portion takes into account that at least one chosen software execution characteristic is monitored, and a second object part (2 pou) of the protected software (2 p), containing the exploitation means implementing the detection means (17) and the coercion means (18), said second object part (2 pou) being such that, after upload to the blank unit (60) and during the execution of the protected software (2 p), appears the second execution part (2 peu) by means of which at least one chosen software execution characteristic is monitored and by means of which the fact that a criterion is not abided by leads to a modification of the execution of the protected software (2 p), and uploading the second object part (2 pou) to the blank unit (60), with the intention of obtaining the unit (6), and during a usage phase (U) during which the protected software (2 p) is executed: in the presence of the unit (6): and as long as all the criteria corresponding to all the monitored execution characteristics of all the modified portions of the protected software (2 p) are abided by, enabling said portions of the protected software (2 p) to work nominally and consequently enabling the protected software (2 p) to work nominally, and if at least one of the criteria corresponding to a monitored execution characteristic of a portion of the protected software (2 p) is not abided by, informing the data processing system (3) of it and/or modifying the functioning of the portion of the protected software (2 p), so that the functioning of the protected software (2 p) is modified, and in the absence of the unit (6), in spite of the request by a portion of the first execution part (2 pes) to trigger the execution in the unit (6), of the functionality of a chosen algorithmic processing, in not being able to fulfill said request correctly, so that at least said portion is not executed correctly and that, consequently, the protected software (2 p) is not completely functional, wherein during the protection phase (P): defining: as software execution characteristic liable to be monitored, a profile of software usage, and as criterion to abide by, at least one feature of software execution, and modifying the protected software (2 p): by choosing as software execution characteristic to monitor at least one profile of software usage, by choosing at least one feature of execution by which at least one chosen profile of usage must abide, and by modifying at least one chosen portion of the source of the protected software (2 ps), this modification being such that, during the execution of the protected software (2 p), the second execution part (2 peu) abides by all the chosen features of execution, and during the usage phase (U) in the presence of the unit (6), and in the case where it is detected that at least one feature of execution is not abided by, informing the data processing system (3) of it and/or modifying the functioning of the portion of the protected software (2 p), so that the functioning of the protected software (2 p) is modified, wherein during the protection phase (P): defining: an instructions set whose instructions are liable to be executed in the unit (6), a set of instructions commands for said instructions set, said instructions commands being liable to be executed in the data processing system (3) and to trigger in the unit (6) the execution of the instructions, as profile of usage, the chaining of the instructions, as feature of execution, an expected chaining for the execution of the instructions, as detection means (17), means enabling to detect that the chaining of the instructions does not correspond to the expected one, and as coercion means (18), means enabling to inform the data processing system (3) and/or to modify the functioning of the portion of protected software (2 p) when the chaining of the instructions does not correspond to the expected one, constructing the exploitation means also enabling the unit (6) to execute the instructions of the instructions set, the execution of said instructions being triggered by the execution in the data processing system (3), of the instructions commands, and modifying the protected software (2 p): by modifying at least one chosen portion of the source of the protected software (2 ps), this modification being such that: at least one chosen algorithmic processing is split so that during the execution of the protected software (2 p), said algorithmic processing is executed by means of the second execution part (2 peu), using instructions, for at least one chosen algorithmic processing, instructions commands are integrated to the source of the protected software (2 ps), so that during the execution of the protected software (2 p), each instruction command is executed by the first execution part (2 pes) and triggers in the unit (6), the execution by means of the second execution part (2 peu), of an instruction, a sequence of the instructions commands is chosen among the set of sequences allowing the execution of the protected software (2 p), and the chaining by which must abide at least some of the instructions during their execution in the unit (6) is specified, and during the usage phase (U), in the presence of the unit (6), in the case where it is detected that the chaining of the instructions executed in the unit (6) does not correspond to the expected one, informing the data processing system (3) of it and/or modifying the functioning of the portion of the protected software (2 p), so that the functioning of the protected software (2 p) is modified, wherein during the protection phase (P): defining: as instructions set, an instructions set whose at least some instructions work with registers and use at least one operand with the intention of returning a result, for at least some of the instructions working with registers: a part (PF) defining the functionality of the instruction, and a part defining the expected chaining for the execution of the instructions and including bits fields corresponding to: an identification field of the instruction (CII), and for each operand of the instruction:  a flag field (CD_(k)),  and an expected identification field (CIP_(k)) of the operand, for each register belonging to the exploitation means and used by the instructions set, a generated identification field (CIG_(v)) in which is automatically memorized the identification of the last instruction which has returned its result in said register, as detection means (17), means enabling, during the execution of an instruction, for each operand, when the flag field (CD_(k)) imposes it, to check the equality of the generated identification field (CIG_(v)) corresponding to the register used by said operand, and the expected identification field (CIP_(k)) of the origin of said operand, and as coercion means (18), means enabling to modify the result of the instructions, if at least one of the checked equalities is false, and wherein for each said operand, said flag field (CD_(k)) abd saud expected identification field (CIP_(k)) are merged into a tag field and at least one value of each said tag field is used to indicate that equality with said generated identification field (CIG_(v)) shall not be checked.
 2. A method to protect software comprising: storing a first portion of the software on a first unit, wherein the first unit comprises a memory and a processor; storing a second portion of the software on a second unit, wherein the second unit comprises a secure processor and a secure memory, wherein the second portion of the software is secret, and wherein the first and second portions of the software form a single executable program; and executing the program, wherein operations performed during the execution comprise: the first portion provides input to the second portion, the second portion provides a result to the first portion wherein the second unit comprises a detection module that detects a software execution characteristic of said operations performed during the execution that does not abide to an associated criterion, and wherein, when the detection module detects the none abiding software execution characteristic, a coercion module of the second unit informs the first unit of the none abiding software execution characteristic and modifies the executed program.
 3. The method according to claim 2, wherein the modification of the executed program comprises stopping the execution of the program.
 4. The method according to claim 2, wherein the second unit is a chip medium configured to attach and detach to the first unit.
 5. The method according to claim 2, wherein the processor of the second unit is a coprocessor of the processor of the first unit.
 6. The method according to claim 2, wherein the second unit is a token.
 7. The method according to claim 2, wherein, when the detection module of the second unit detects that the result obtained by the second portion does not abide to the associated criterion, the coercion module of the second unit modifies the executed program to stop the execution of the program.
 8. A method to protect a vulnerable software working on a data processing system against its unauthorized usage using a unit comprising a processor and a memory and is configured to attach and detach to the processing system, the method comprising: defining a software execution characteristic liable to be monitored at least in part in the unit; defining a criterion to abide by for said software execution characteristic; detecting, in the unit, that the defined software execution characteristic does not abide by the defined associated criterion; and informing the data processing system by the unit when the defined associated criterion is not abided.
 9. The method according to claim 8, further comprising modifying the execution of a software when the defined associated criterion is not abided by. 